 Florian Roth
|
130ce58ff6
|
Merge pull request #2928 from SigmaHQ/aurora-false-positive-fixing
fix: FPs
|
2022-04-20 07:50:59 +02:00 |
|
|
Florian Roth
|
98db7bb137
|
Update file_event_win_susp_dropper.yml
|
2022-04-19 19:08:49 +02:00 |
|
|
Florian Roth
|
89d8851cca
|
Update file_event_win_susp_dropper.yml
|
2022-04-19 18:53:18 +02:00 |
|
|
Florian Roth
|
0bbf08640c
|
fix: FPs increase level
|
2022-04-17 09:28:43 +02:00 |
|
|
Florian Roth
|
a10b8ae45b
|
fix: MITRE tags
|
2022-04-13 19:25:11 +02:00 |
|
|
Florian Roth
|
d8205de338
|
fix: typo in CVE number
|
2022-04-13 19:19:20 +02:00 |
|
|
Florian Roth
|
35770c7035
|
rule: CVE-2022-23527 LPE
https://www.rapid7.com/blog/post/2022/04/12/cve-2022-24527-microsoft-connected-cache-local-privilege-escalation-fixed/
|
2022-04-13 19:18:15 +02:00 |
|
|
Florian Roth
|
0b4bfad074
|
Merge branch 'master' into aurora-false-positive-fixing
|
2022-03-29 21:06:30 +02:00 |
|
|
Florian Roth
|
567cdad7b5
|
fix: cleanmgr.exe FPs
|
2022-03-29 19:48:40 +02:00 |
|
|
Florian Roth
|
a9bf73f33c
|
Merge pull request #2856 from redsand/fp_filter_ccm_setup
Filtering of ccm setup executables
|
2022-03-26 19:07:53 +01:00 |
|
|
Florian Roth
|
df2cbc9765
|
refactor: single element list
|
2022-03-26 18:42:47 +01:00 |
|
|
Tim Shelton
|
2918383643
|
OOps... syntax err... early morning
|
2022-03-26 16:09:09 +00:00 |
|
|
Tim Shelton
|
a587d4145e
|
Filtering of ccm setup executables
|
2022-03-26 15:23:57 +00:00 |
|
|
Florian Roth
|
016265169d
|
docs: changed description and title of two rules
|
2022-03-25 13:42:56 +01:00 |
|
|
phantinuss
|
6ae28b7a1c
|
fix: legitimate --> Legitimate
|
2022-03-16 14:35:19 +01:00 |
|
|
phantinuss
|
84d0c472ba
|
fix: remove penetration test as valid false positive reason
|
2022-03-16 14:33:18 +01:00 |
|
|
phantinuss
|
8d3f8acb60
|
fix: none --> Unknown
|
2022-03-16 14:19:21 +01:00 |
|
|
phantinuss
|
b23eee6ebf
|
fix: unknown --> Unknown
|
2022-03-16 13:43:54 +01:00 |
|
|
Florian Roth
|
306bb438e3
|
CrackMapExec patterns
|
2022-03-15 18:05:04 +01:00 |
|
|
frack113
|
c5c72124b1
|
WindowsUpdate FP
|
2022-03-13 19:22:08 +01:00 |
|
|
Florian Roth
|
52f2b7f966
|
Merge pull request #2795 from SigmaHQ/rule-devel
refactor: lsass dump files names, new: NTDS.dit exfiltration activity
|
2022-03-11 20:56:06 +01:00 |
|
|
Florian Roth
|
c843293e47
|
rules: NTDS.DIT exfiltration
|
2022-03-11 18:14:09 +01:00 |
|
|
Florian Roth
|
1c9fefc478
|
refactor: add iocs to lsass dump files names
|
2022-03-10 21:03:16 +01:00 |
|
|
frack113
|
3cb0640192
|
Add file_event_win_susp_dropper
|
2022-03-09 20:56:35 +01:00 |
|
|
phantinuss
|
b2d68616b5
|
fix: FPs with webex and temp assembly
|
2022-03-02 14:48:37 +01:00 |
|
|
frack113
|
ec7319be21
|
Name Normalization
Name Normalization
|
2022-02-27 07:39:46 +01:00 |
|
|
Florian Roth
|
d6d206d6d6
|
rules: BlackByte rule update, and some generic rules
|
2022-02-25 16:02:42 +01:00 |
|
|
Florian Roth
|
41d5b87839
|
Merge pull request #2722 from SigmaHQ/rule-devel
New rules and FP fixes
|
2022-02-22 17:33:05 +01:00 |
|
|
Florian Roth
|
24ece0c60a
|
Merge branch 'master' into rule-devel
|
2022-02-22 16:33:51 +01:00 |
|
|
Florian Roth
|
3a40ea79d3
|
fix: FPs noticed with Aurora
|
2022-02-22 08:52:51 +01:00 |
|
|
Florian Roth
|
921d46ca79
|
fix: FPs noticed with Aurora
|
2022-02-21 18:43:18 +01:00 |
|
|
Florian Roth
|
ab3f1f6e7d
|
refactor: extend values - sam rule
|
2022-02-16 16:59:32 +01:00 |
|
|
frack113
|
171edbd1bc
|
Merge pull request #2694 from frack113/Red_20220213
Windows Redcannary
|
2022-02-14 06:34:20 +01:00 |
|
|
frack113
|
f288134b41
|
Windows Redcannary
|
2022-02-13 11:04:00 +01:00 |
|
|
frack113
|
7e3c088165
|
Windows Redcannary
|
2022-02-12 15:53:13 +01:00 |
|
|
Florian Roth
|
891475dccb
|
Merge pull request #2684 from SigmaHQ/rule-devel
rules: SAM dump, suspicious program names, iso/img mount
|
2022-02-11 18:06:20 +01:00 |
|
|
Florian Roth
|
0476b8693d
|
refactor: extended .iso rule
|
2022-02-11 14:15:51 +01:00 |
|
|
Florian Roth
|
3fa2d13e10
|
rule: iso / img file mount
|
2022-02-11 12:37:35 +01:00 |
|
|
Florian Roth
|
8e255bfdaf
|
refactor: sam hive dump filename rule
|
2022-02-11 12:16:40 +01:00 |
|
|
Florian Roth
|
e6989f9efb
|
rules: samdumps, suspicious program names
|
2022-02-11 11:58:02 +01:00 |
|
|
phantinuss
|
43bae23f23
|
fix: several FPs against a fresh installed Windows with example applications and basic user interaction
|
2022-02-09 17:47:22 +01:00 |
|
|
Tim Shelton
|
913aac6695
|
allow fp from wbengine
|
2022-02-07 16:58:58 +00:00 |
|
|
Florian Roth
|
80a552d28d
|
refactor: lsass dump filename IOC pattern
|
2022-02-06 14:26:55 +01:00 |
|
|
Florian Roth
|
0d27cf9681
|
Merge pull request #2624 from SigmaHQ/rule-devel
Some TeamViewer rules
|
2022-01-31 16:38:58 +01:00 |
|
|
frack113
|
7ceb3968d8
|
Update file_event_susp_teamviewer_remote_session.yml
|
2022-01-31 06:24:02 +01:00 |
|
|
Florian Roth
|
c35973d6e7
|
rule: TeamViewer remote session
|
2022-01-30 22:26:13 +01:00 |
|
|
frack113
|
5b30db61b0
|
Add windows redcannary rules
|
2022-01-28 16:12:38 +01:00 |
|
|
frack113
|
f1959f25d7
|
Windows Redcannary
|
2022-01-23 16:37:59 +01:00 |
|
|
Florian Roth
|
7dabe5e7a8
|
Merge pull request #2591 from frack113/colorcpl
add win_fe_susp_colorcpl
|
2022-01-21 17:47:52 +01:00 |
|
|
frack113
|
97f4bda4bc
|
add win_fe_susp_colorcpl
|
2022-01-21 14:16:35 +01:00 |
|